MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf30574d0f05ecb1294f7579bc4c35b0ec9df921c0a15ec50b585994b98d14d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf30574d0f05ecb1294f7579bc4c35b0ec9df921c0a15ec50b585994b98d14d
SHA3-384 hash: 46690b5dbe48883876118080c7ed066dd27e4b3f9882897a2bd70ba562a6de0eb422e11aa11a314395bddb026e919044
SHA1 hash: 372300f5caf75e47ce9b84589a7c63b76d7b796e
MD5 hash: 288c7be5a30315c9f4e293aecca6f912
humanhash: tennessee-triple-ink-queen
File name:yqwit.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:867'328 bytes
First seen:2021-02-08 20:08:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:WAHnh+eWsN3skA4RV1Hom2KXMmHaJy65:xh+ZkldoPK8YaJf
Threatray 60 similar samples on MalwareBazaar
TLSH 90058B0273D1C036FFABA2739B6AF60156BD79254133852F13981DB9BD701B2263E663
Reporter malware_traffic
Tags:exe FickerStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
yqwit.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-08 20:06:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09da54a1-cba7-4fdc-ba75-320ade38bc00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116100/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Delayed reading of the file
Deleting a recently created file
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602267
Signature
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Very long command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 350152 Sample: yqwit.exe Startdate: 08/02/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Very long command line found 2->47 49 4 other signatures 2->49 8 yqwit.exe 15 2->8         started        process3 dnsIp4 33 paste.ee 104.21.45.223, 443, 49723, 49743 CLOUDFLARENETUS United States 8->33 25 C:\Users\user\AppData\Local\...\oGQCwBneO.ps1, ASCII 8->25 dropped 12 powershell.exe 26 8->12         started        file5 process6 signatures7 59 Very long command line found 12->59 15 powershell.exe 15 14 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 35 192.168.2.1 unknown unknown 15->35 37 paste.ee 15->37 39 Writes to foreign memory regions 15->39 41 Injects a PE file into a foreign processes 15->41 21 MSBuild.exe 16 15->21         started        signatures10 process11 dnsIp12 27 185.234.247.233, 49745, 49746, 80 INTERKONEKT-ASPL Russian Federation 21->27 29 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.66.103, 49744, 80 AMAZON-AESUS United States 21->29 31 2 other IPs or domains 21->31 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->51 53 Tries to steal Instant Messenger accounts or passwords 21->53 55 Tries to harvest and steal browser information (history, passwords, etc) 21->55 57 Tries to harvest and steal Bitcoin Wallet information 21->57 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecf30574d0f05ecb1294f7579bc4c35b0ec9df921c0a15ec50b585994b98d14d/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 20:09:05 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tzqk5gq6bpmweuu65lzxrgdlmhmtx4sdqfbl3cqwwczss4y2fgq._file
Verdict:
malicious
Similar samples:
3165b8d9ba511ac3f03f759a1cd159f268bbe7600eb9949cfd60142acecb25eb
FickerStealer
7cf248bdae62a6ff5bbc41566eba5c85b3eaf6f5b22cdf46e56d2cb63a69ccba
FickerStealer
8dabac2e9e7f3d5535d5913b8c52f5210013f5de6fa362bab4f893385c69c39f
FickerStealer
908c2a93ec5f565c60464e1c7d47cfed0de5c65fa03c1c5fcaa545af8c3e3dd6
FickerStealer
9493d9594dbc75d821a8a9fbcb889e6f76e0d570c7b37710562a40a3054f7946
FickerStealer
94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1
FickerStealer
a456769302254d2e6609a7832d93937572b7b73cca217873d7f60678414645e0
FickerStealer
aa04378ed2fd6c9375ca633022250515112801dd5b1bc8c40cbecd36c1349e75
FickerStealer
ad7df9c3f3da564ae38fda8bfa0324a52ed98899696e763dae3bff7dad93262b
FickerStealer
fbd4d497f7eb0a43abc98382f843872f75173d8fdb8f06799198b0e1164c0e95
FickerStealer
+ 50 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware
Link:
https://tria.ge/reports/210208-4sm82cyncs/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Blocklisted process makes network request
Malware Config
Dropper Extraction:
httPs://paste.ee/r/7iwP0
httPs://paste.ee/r/vttmE
Unpacked files
SH256 hash:
ecf30574d0f05ecb1294f7579bc4c35b0ec9df921c0a15ec50b585994b98d14d
MD5 hash:
288c7be5a30315c9f4e293aecca6f912
SHA1 hash:
372300f5caf75e47ce9b84589a7c63b76d7b796e
Link:
https://www.unpac.me/results/df22447b-afff-4b9d-9dbf-70e462bf9091/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecf30574d0f05ecb1294f7579bc4c35b0ec9df921c0a15ec50b585994b98d14d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/116100/

Comments